Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

emotet_pe_1min

windows10-1703-x64

10

Analysis

  • max time kernel
    47s
  • max time network
    110s
  • platform
    windows10-1703_x64
  • resource
    win10-20220901-en
  • resource tags

    arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
  • submitted
    04/11/2022, 13:18 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f8aa32d30a56e4917a17a16089e7e8a3b41813dec6fb606b868ed644f86ae99e.dll

  • Size

    534KB

  • MD5

    b6aa1390eb1add1428e901c74a267497

  • SHA1

    00270c43f2ec7e0708b4701fd2592e41dc8c4097

  • SHA256

    f8aa32d30a56e4917a17a16089e7e8a3b41813dec6fb606b868ed644f86ae99e

  • SHA512

    d71a36fa2566ce35d5b774b1d4bbe17b649ca9c3f1c26162ade226472439f985423ccc38412809fb260f8d074f32364ba79698085ffec2070a464022fa78015b

  • SSDEEP

    6144:vTKqTS2X5Bc1p7PIvaf66pPfTISFikbOM5pxHAz3SJnzo+28tz3+TThF4Sr:vucOk6pPAkbnjWzazwk3+vh

Score
10/10
emotetepoch5bankerpersistencetrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

C2

178.238.225.252:8080

139.196.72.155:8080

36.67.23.59:443

103.56.149.105:8080

37.44.244.177:8080

85.25.120.45:8080

202.134.4.210:7080

78.47.204.80:443

83.229.80.93:8080

93.104.209.107:8080

80.211.107.116:8080

165.22.254.236:8080

104.244.79.94:443

185.148.169.10:8080

190.145.8.4:443

175.126.176.79:8080

139.59.80.108:8080

188.165.79.151:443

128.199.217.206:443

64.227.55.231:8080
ecs1.plain
1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9C8agzYaJ1GMJPLKqOyFrlJZUXVI
3
lAZwAnOq6JrEKHtWCQ+8CHuAIXqmKH6WRbnDw1wmdM/YvqKFH36nqC2VNA==
4
-----END PUBLIC KEY-----
eck1.plain
1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2DWT12OLUMXfzeFp+bE2AJubVDsW
3
NqJdRC6yODDYRzYuuNL0i2rI2Ex6RUQaBvqPOL7a+wCWnIQszh42gCRQlg==
4
-----END PUBLIC KEY-----

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f8aa32d30a56e4917a17a16089e7e8a3b41813dec6fb606b868ed644f86ae99e.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SRlMhPPcbUAxT\HkToQUEclRSzx.dll"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      PID:4856

Network

  • flag-kr
    GET
    https://218.38.121.17/
    regsvr32.exe
    Remote address:
    218.38.121.17:443
    Request
    GET / HTTP/1.1
    Connection: Keep-Alive
    Cookie: jjdlcGWZDL=riH0lNRRgor0D8pStyOTFmAgbYJQrM5qWXcQM5QYxor7Gt15YocSc6T4Q9BuvP29K7iiOcgwBPZ3FKWa4bYnLQoG8UmVYZEXh2+BNwaWoRAVYp1FBWWDt4RN3X42CwMtaZfl84pvVqHLkIXPoXGkL0j2HbXxwKMPZyw2E7TM9h91Mu1cTlSMMJ1eGcTg5N8GQrtous5nTwCCQkhBuJGbxJ3iU3VWyGpOAaFtlBYuwqTm8A==
    Host: 218.38.121.17
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Fri, 04 Nov 2022 13:18:52 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • 218.38.121.17:443
    https://218.38.121.17/
    tls, http
    regsvr32.exe
    1.1kB
     3.2kB
     11
    11

    HTTP Request

    GET https://218.38.121.17/

    HTTP Response

    200
No results found

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2848-120-0x00000000025E0000-0x0000000002610000-memory.dmp

    Filesize

    192KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.